Herd Immunity From Computer Worms
- By Mark Webb-Johnson, Network Box
- April 08, 2021
Remember computer virus worms? That nasty form of malware that crawled around the Internet, infecting everything it could find and then forcing infected hosts to continue the virus’s spread? Recalling these, in our contemporary context of COVID-19 and vaccination programs, made us think about herd immunity and how that term applies equally to both computer and human viruses.
Reproduction Number
The Basic Reproduction Number (Ro) of a virus is used to describe the expected number of cases directly generated by one case in a population where all individuals are susceptible to infection. SARS-CoV-2 (the virus that causes COVID-19) has a Ro somewhere between 2 and 3. In comparison, Polio’s is about 5 to 7, Mumps’ 10 to 12, and Measles’ (one of the most infectious viruses) around 12 to 18.
So, each case of Measles infects 12 to 18 other people in a population without protection. Then each of those 12 to 18 people goes on to infect another 12 to 18, etc. The resulting exponential growth is pretty scary when you think about it.
Now, in any population, the Effective Reproduction Number (Re) — the average number of new infections caused by a single infected individual in a partially susceptible population — should be less than Ro. Some individuals either have natural immunity or gained it through the previous infection, vaccination, or isolation.
With computer viruses, immunity is achieved either by patching the flaw the virus exploits (with anti-malware technology) or network isolation/firewalling (the computer equivalent of social distancing). Quarantine is an effective technique in both humans and computers for limiting the number of hosts an infected individual can contact to reduce the disease’s spread further.
If the Re stays above 1, then the number of hosts infected increases, and the virus spreads. If the Re remains below 1, then the virus peters out and disappears. In reality, the number goes up and down over time, resulting in waves of infection we so often see.
Calculating Herd immunity
Herd Immunity is all about reducing the Re of a virus and the percentage of individuals it can infect.
Think about a virus with a Ro of 2 and a population with no protection (100% susceptible to infection). A single infected host passes on the infection to two others. Now, in a population where more than 50% of people are immune, the Re would fall below 1 (as more than half of those two previously susceptible to infection are no longer in danger), and the virus would slowly go away. When less than 50% are immune, the virus will continue to spread (Re > 1) at a rate dependent on the inverse percentage of the immune population. You can see how the magic number for Herd Immunity depends on the infectiousness of the disease and the effectiveness of the protection.
Stopping computer virus worms
Now, let’s bring this back and look at how this affects computer virus worms’ behavior.
While human viruses typically have incubation periods (the time between infection and infectiousness to others) of days, weeks, or years, computer viruses are instantly infectious. So, while the transmission time of the infection may be similar, this lack of incubation period, coupled with the speed of light transport, means computer viruses spread much more rapidly than human viruses.
A typical zero-day computer virus worm will exploit a vulnerability in a particular version of an operating system or application to infect a remote host and then use that host to continue to spread the virus. For such viruses, the Ro is usually extremely high and dependent only on network and CPU host bandwidth (how fast it can scan and how many vulnerable hosts there are). These viruses can bring networks to a standstill just with their scanning and infection activity as they try to spread.
In the early stages of the virus worm launch, the effective reproduction number is usually similarly high (particularly for those viruses targeting popular applications or operating systems).
Hosts gain immunity, or at least stop being infectable and infectious, in a few ways:
- Not running those vulnerable operating systems or applications.
- Applying patches to protect against the vulnerabilities being exploited (either on the host itself or via virtual patching).
- Anti-malware signatures or heuristic protection.
- Isolation from the infected networks (either via firewall or physical controls).
- Being taken offline due to system damage caused by the infection (aka death).
So, when such virus worms are launched, we see an immediate and rapid increase in the virus’s scanning activity, looking for hosts to infect. Since many targets without protection exist at this stage, the infection rate is often exponential and dramatic. For many worms, this brings networks to a crawl and is so very obvious.
Then, typically within a few hours, the anti-malware companies start to release and distribute signatures (a.k.a. vaccines). One by one, infected hosts are brought offline and cleaned (cured), while others are protected by their anti-malware systems (vaccination).
Smart and proactive administrators start isolating their vulnerable systems to prevent and/or contain infections, and the effective reproduction rate starts to fall. Manufacturers release patches to fix the vulnerabilities, and these are installed.
As time goes by, the population of potentially infectable hosts falls, and it takes longer for the worm to scan to find each new vulnerable target. The effective reproduction number continues to fall until the magic point of Herd Immunity is reached, the number falls below 1, and the virus worm slowly disappears into obscurity.
Unlike human viruses (where our immune systems step in), infected computers continue to be contagious until their owners take active steps to stop them. That can take months or years in some cases, so flare-ups of old viruses can still happen long after the initial release. But eventually, the worm dies off to obscurity, only to be revived in bar stories told by hard-working network administrators.
The simple steps of isolation/quarantine, patching vulnerabilities, and updating anti-virus, have brought the reign of that virus worm to an end. If only it were so easy to defeat COVID-19.
Mark Webb-Johnson, chief technology officer at Network Box, wrote this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/next143